CLIENT DATA PROCESSING AGREEMENT

Transcription

1 CLIENT DATA PROCESSING AGREEMENT This Data Processing Agreement for the Data Protection (the Agreement ) of Data Processed is entered into on./../ (hereinafter referred to as the Effective Date ) by and between: MOBIWEB LIMITED, a company incorporated under the laws of Hong Kong, having its registered offices at 111, How Ming Street, Futura Plaza, Room 2103, Kwun Tong, Hong Kong, under Registration Number: , duly represented by the signee, hereinafter referred to as MobiWeb and....., a company incorporated in.... under registration number... whose principal place of business is at., duly represented by the signee, hereinafter referred to as Company. Hereinafter individually referred to as a Party and jointly as the Parties. WHEREAS: - The Effective Date shall be the date on which this Agreement is signed by the Company and MobiWeb. - The Parties have entered into a services agreement, the Wholesale SMS and Voice Messaging Agreement (hereinafter Main Agreement. - Due to the Main Agreement, MobiWeb will process Personal Data for the Company, for the purpose of the conveyance of SMS messages and Voice messages, on behalf of the Company, as defined in the Main - Under EU regulation 2016/679 GDPR, depending on the role of the Company, MobiWeb will act accordingly: - When the Company is the Data Controller, MobiWeb will be the Data Processor of the Company. - The Company is the Data Controller that controls Personal Data, collecting consent, managing consent-revoking, enabling right to access to Data Subjects. - MobiWeb is the Data Processor, that processes Personal Data on behalf of and under the instruction of the Company (Data Controller) and MobiWeb transfers Personal Data to a Sub-Processor for the purpose of provision of the Services as set forth in the Main - When the Company is the Data Processor or the Data Sub-Processor, MobiWeb will be the Data Sub- Processor of the Company. - The Company is the Data Processor that processes Personal Data on behalf of and under the instruction of the Data Controller or is the Data Sub-Processor that processes Personal Data on behalf of and under the instruction of the Data Processor that processes Personal Data on behalf of the Data Controller. - MobiWeb is the Data Sub-Processor, that processes Personal Data on behalf of and under the instruction of the Company and MobiWeb transfers Personal Data to a Sub-Processor for the purpose of provision of the Services as set forth in the Main NOW THEREFORE, THE PARTIES HEREBY AGREE AS FOLLOWS: ARTICLE 1 - DEFINITIONS Words and phrases used in this Agreement have the following meanings: Agreement: Main Agreement: GDPR: Data Controller: The present Data Processing Agreement and all Annexes hereto. The Master The EU General Data Protection Regulation (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It replaces the prior Data Protection Directive (95/46/EC) of The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the Data Controller or the specific criteria for its Page 1 of 7

2 nomination may be provided for by Union or Member State law. Furthermore, Data Controller controls Personal Data, collecting consent, managing consent-revoking, enabling right to access to Data Subjects. Data Processor: The natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller. Furthermore, Data Processor processes Personal Data on behalf of and under the instruction of the Data Controller. Data Sub-Processor: Data Protection Law(s): Data Subject(s): EEA: Personal Data Breach: A Processor engaged by the Data Processor, for the purpose of carrying out specific processing activities on behalf of the Data Controller. the local and international data regulation(s) and legislation(s) that are in force in any part of the world. An identifiable natural person, one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The European Economic Area. A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Service(s): The conveyance of SMS messages and Voice messages, provisioned by MobiWeb to the Company, as defined in the Main Agreement Personal Data: Any information relating to a Data Subject. Data Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing Instructions: The instruction(s) as set forth by the Data Controller to the Data Processor, for Data Processing of Personal Data of Data Subjects, for the purpose of Data Processor, provisioning Services to the Data Controller. Data Provider: The Company, a controller (or, where permitted, a processor) that transfers personal data to MobiWeb for the provisioning of Services to the Company. ARTICLE 2 - SUBJECT 2.1 This Agreement forms part of the Master Agreement between MobiWeb and Company for the purpose of MobiWeb provisioning Services to the Company to reflect the Parties agreement with regard to the Data Processing of Personal Data. 2.2 By signing the Agreement, Company enters into this Agreement on behalf of itself and, to the extent required under applicable Data Protection Laws and GDPR, if and to the extent MobiWeb processes Personal Data that the Company provides and therefore qualifies as a Data Provider (Data Controller, Data Processor or Data Sub-Processor). 2.3 In the course of providing the Services to the Company pursuant to the Agreement, MobiWeb may Process Personal Data on behalf of the Company and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. Page 2 of 7

3 ARTICLE 3 PERSONAL DATA PROCESSING 3.1 MobiWeb shall process Personal Data provided by the Company on behalf and in accordance to the written instructions of the Company, unless required otherwise by applicable Laws. 3.2 Company shall, in its use of the Services provisioned by MobiWeb, Process Personal Data in accordance with the requirements of Data Protection Laws and GDPR. For the avoidance of doubt, Company s instructions for the Processing of Personal Data shall comply with Data Protection Laws and GDPR. Company shall have sole responsibility for the accuracy, quality, legitimacy and legality of Personal Data Processing and the means by which Company acquired Personal Data. 3.3 The subject-matter of Personal Data Processing by MobiWeb is the provision and performance of the Services pursuant to the Agreement and Master The purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this Agreement are further specified in Annex 1 of this 3.4 The Company hereby instructs MobiWeb to carry out part of the Processing. 3.5 In the event that MobiWeb believes that the Company s instructions conflict with Data Protection Laws and GDPR, MobiWeb will inform the Company and the company will amend the instructions accordingly. MobiWeb will not carry any processing instructions that conflict with GDPR and any Data Protection Laws. ARTICLE 4 PERSONNEL 4.1 MobiWeb shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. MobiWeb shall ensure that such confidentiality obligations survive the termination of the personnel engagement and the 4.2 MobiWeb shall take commercially reasonable steps to ensure the reliability of any MobiWeb personnel engaged in the Processing of Personal Data. 4.3 MobiWeb shall ensure that MobiWeb s access to Personal Data is limited to those personnel who require such access to perform the 4.4 MobiWeb's Data Protection Team may be reached at dataprotection@solutions4mobiles.com or ARTICLE 5 - OBLIGATIONS 5.1 MobiWeb shall assist the Company in providing retrieval access, correction, delete and block to Personal Data processed to Data Subjects and Authorities, allowing Data Subjects to exercise their rights under GDPR and Data Protection Laws. 5.2 MobiWeb shall assist the Company in meeting its GDPR obligations in relation to the security of Processing, the notification of Personal Data Breaches and data protection impact assessments. 5.3 MobiWeb shall inform the Company immediately upon becoming aware of requests received directly by Data Subjects and Authorities. 5.4 MobiWeb shall provide information and data to the Company, to assist the Company in meeting its GDPR obligations. 5.5 MobiWeb shall delete or return all Personal Data to the Company as requested at the end of the Agreement, unless required for the performance of Services or required by applicable Laws and Regulations. 5.6 MobiWeb shall process Personal Data only to provide Company with the Services as described in the Master 5.7 MobiWeb shall provide at all times sufficient guarantees for its compliance with the requirements of the GDPR. Page 3 of 7

4 5.8 MobiWeb shall treat the Personal Data as strictly confidential, ensuring personnel authorised access and secure processing. 5.9 MobiWeb shall ensure data availability and restoration functionality to the Company. ARTICLE 6 AUDIT AND COMPLIANCE 6.1 MobiWeb shall cooperate with Authorities in accordance with GDPR requirements. 6.2 MobiWeb shall inform the Company immediately upon becoming aware of requests received by Authorities. 6.3 MobiWeb shall allow for and shall contribute to audits and inspections conducted by a Company appointed auditor. Subject to reasonable prior notice from Company to MobiWeb, the appointed auditor may enter the rooms or locations where the personal data is processed by MobiWeb and inspect, audit any relevant records, processes and systems, and copy any relevant Personal Data records to verify compliance with GDPR and Data Protection Laws. 6.4 Company agrees to pay any and all costs of the full audit processes that are initiated by the Company and audit processes initiated by Authorities due to services provisioned by MobiWeb to the Company, including costs of involved third-parties (auditors, data centres, etc.) and MobiWeb (personnel compensation, traveling expenses, etc.). 6.5 Company agrees that MobiWeb shall combine several audits in one single audit, in order to limit any impact on MobiWeb and third-parties operations. 6.6 MobiWeb shall fully cooperate and make available to Company on its demand all information that is necessary to demonstrate compliance with the GDPR obligations and obligations under this ARTICLE 7 - SECURITY AND DATA PROTECTION 7.1 MobiWeb shall take appropriate organizational and technical measures and policies to ensure security of Personal Data Processing and meet sufficient guarantees of protection and security standards, including measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of Personal Data over a network, and against all unlawful forms of Processing. ARTICLE 8 PERSONAL DATA BREACH 8.1 MobiWeb maintains security incident management policies and procedures and shall notify Company without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Data, including Personal Data, transmitted, stored or otherwise Processed by MobiWeb or its Sub-Processors of which MobiWeb becomes aware. MobiWeb shall make reasonable endeavours to identify the cause of such Personal Data Breach Incident and take those steps as MobiWeb deems necessary and reasonable in order to remediate the cause of such an Incident to the extent the remediation is within MobiWeb s reasonable control. The obligations herein shall not apply to incidents that are caused by Company, Company s Systems (Software and Hardware) or Company s Personnel. ARTICLE 9 - SUB-PROCESSORS 9.1 Company agrees that MobiWeb shall use Sub-Processors for the provision and performance of the Services pursuant to the Agreement and Master MobiWeb shall ensure that Sub-Processors involved in the Processing of Personal Data shall be capable of providing necessary operational and technical level to comply with the requirements of GDPR and Data Protection Laws. 9.2 MobiWeb shall inform the Company of any intended changes concerning the addition or replacement of other Sub-Processors, thereby giving the Company the opportunity to consent or object to such changes through written material or electronic form. MobiWeb shall not execute changes without the written consent of the Company. Page 4 of 7

5 9.3 The Company will fully indemnify and hold MobiWeb harmless against all direct and indirect losses, claims, damages, fees and expenses incurred as a result of delays in Company s consent to Sub- Processor changes proposed by MobiWeb. ARTICLE 10 LIABILITY AND INDEMNITY The Company shall indemnify and hold MobiWeb harmless against claims by Data Controllers, Data Processors, Data Sub-Processors, Data Subjects and/or penalties or fines imposed by an authority for which MobiWeb might become liable, due to an attributable failure by the Company to comply with the obligations under this Agreement and/or applicable Data Protection Laws MobiWeb shall indemnify and hold the Company harmless against claims by Data Controllers, Data Processors, Data Sub-Processors, Data Subjects and/or penalties or fines imposed by an authority for which the Company might become liable, due to an attributable failure by MobiWeb to comply with the obligations under this Agreement and/or applicable Data Protection Laws Company agrees to be held liable against all expenses, losses, costs and damages arising due to an attributable failure by the Company to comply with the obligations under this Agreement and/or applicable Data Protection Laws The Company shall have full and sole liability for all damages resulting from a failure on its part to comply with the Agreement, GDPR and Data Protection Laws. Company shall indemnify and hold MobiWeb harmless against all expenses, losses, costs and damages arising therefrom. Should any person to whom personal data relates lodge a claim for compensation against MobiWeb and such claim is due to the Company s failure to comply with the provisions of this Agreement, GDPR or Data Protection Laws, the Company agrees to assist and intervene in MobiWeb s defence upon MobiWeb s request and shall indemnify and hold MobiWeb harmless from and against all expenses, losses, costs and damages Any limitations of liability agreed elsewhere shall not apply to this ARTICLE 11 - APPLICABLE LAW AND JURISDICTION 11.1 This Agreement shall be governed by the laws of Switzerland and any dispute concerning the implementation or interpretation of this Agreement that cannot be settled amicably between the parties shall be submitted to a federal or state court of law having jurisdiction in Geneva, Switzerland. ARTICLE 12 - DURATION 12.1 This Agreement will enter into effect on the Effective Date and will remain effective regardless termination of the Upon the Company s request, MobiWeb shall return or destroy the Personal Data, unless required for the performance of Services or required by applicable Laws and Regulations. If MobiWeb is required to retain Personal Data, MobiWeb shall inform the company and both Parties agree to cooperate towards the best possible solution for both Parties. If the Master agreement is terminated, this Data Processing Agreement will expire automatically. ARTICLE 13 - AFTER DATA PROCESSING TERMINATION 13.1 MobiWeb shall guarantee the confidentiality of the Personal Data transferred and will not Process the Personal Data of the Company after the termination of the 13.2 MobiWeb agrees to allow and to contribute to audits and inspections, subject to Article 6 of this ARTICLE 14 ORDER OF PRECEDENCE 14.1 In the event of a conflict between the provisions of this Agreement and those of the Master Agreement in respect of the Processing and Protection of Data, the provisions of this Agreement will prevail. Except as expressly modified herein, all terms and conditions of the Agreement shall remain in full force and effect. Page 5 of 7

6 IN WITNESS WHEREOF, the Parties have executed this Master Agreement effective as of the Effective Date. SIGNED FOR AND ON BEHALF of MobiWeb Name: Title: SIGNED FOR AND ON BEHALF of Company Name: Title: Signature: Date: Signature: Date: Page 6 of 7

7 ANNEX 1: DETAILS OF PROCESSING OF COMPANY PERSONAL DATA This Annex 1 includes certain details of the Processing of Company Personal Data as required by Article 28(3) GDPR. SUBJECT AND DURATION OF THE PROCESSING OF COMPANY PERSONAL DATA The subject matter and duration of the Processing of the Company Personal Data are set out in the Master Agreement and this THE NATURE AND PURPOSE OF THE PROCESSING OF COMPANY PERSONAL DATA [Include descriptions here] Examples: SMS, One-Time PINs THE CATEGORIES OF DATA THE TYPES OF COMPANY PERSONAL DATA TO BE PROCESSED [Include list of data types here] Examples: MSISDN, IMSI THE CATEGORIES OF DATA SUBJECT TO WHOM THE COMPANY PERSONAL DATA RELATES [Include categories of data subjects here] Examples: Customers, Users THE OBLIGATIONS AND RIGHTS OF COMPANY The obligations and rights of Company and Company Affiliates are set out in the Master Agreement and this Page 7 of 7